MAY">
MUST">
MUST NOT">
OPTIONAL">
RECOMMENDED">
REQUIRED">
SHALL">
SHALL NOT">
SHOULD">
SHOULD NOT">
]>
Use of the Content-Disposition Header Field
in the Hypertext Transfer Protocol (HTTP)greenbytes GmbHHafenweg 16MuensterNW48155Germanyjulian.reschke@greenbytes.dehttp://greenbytes.de/tech/webdav/HTTPbis Working Group
HTTP/1.1 defines the Content-Disposition response header field,
but points out that it is not part of the HTTP/1.1 Standard.
This specification takes over the definition and registration of
Content-Disposition, as used in HTTP, and clarifies internationalization
aspects.
This specification is expected to replace the definition of Content-Disposition
in the HTTP/1.1 specification, as currently revised by the IETF HTTPbis
working group. See also .
Discussion of this draft should take place on the HTTPBIS working group
mailing list (ietf-http-wg@w3.org). The current issues list is
at
and related documents (including fancy diffs) can be found at
.
The changes in this draft are summarized in .
HTTP/1.1 defines the Content-Disposition response header field in ,
but points out that it is not part of the HTTP/1.1 Standard ():

Content-Disposition is not part of the HTTP standard, but since it is
widely implemented, we are documenting its use and risks for implementers.

This specification takes over the definition and registration of
Content-Disposition, as used in HTTP.
Based on interoperability testing with existing User Agents,
it fully defines a profile of the
features defined in the Multipurpose Internet Mail Extensions (MIME) variant () of the
header field, and also clarifies internationalization
aspects.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in .
This specification uses the augmented BNF notation defined in
, including its rules for
linear whitespace (LWS).
The Content-Disposition response header field is used to convey additional
information about how to process the response payload, and also can be used
to attach additional metadata, such as the filename to use when saving the
response payload locally.
content-disposition = "Content-Disposition" ":"
disposition-type *( ";" disposition-parm )
disposition-type = "inline" | "attachment" | disp-ext-type
; case-insensitive
disp-ext-type = token
disposition-parm = filename-parm | disp-ext-parm
filename-parm = "filename" "=" value
| "filename*" "=" ext-value
disp-ext-parm = token "=" value
| ext-token "=" ext-value
ext-token = <the characters in token, followed by "*">
Defined in :
token = <token, defined in >
value = <value, defined in >
Defined in :
ext-value = <ext-value, defined in >
If the disposition type matches "attachment" (case-insensitively), this
indicates that the user agent should prompt the user to save the response
locally, rather than process it normally (as per its media type).
On the other hand, if it matches "inline" (case-insensitively), this implies
default processing.
Unknown or unhandled disposition types &SHOULD; be handled the same way as
"attachment" (see also ).
The parameters "filename" and "filename*", to be matched case-insensitively,
provide information on how to construct a filename for storing the message
payload.
Depending on the disposition type, this information might be used right away
(in the "save as..." interaction caused for the "attachment" disposition type),
or later on (for instance, when the user decides to save the contents of the
current page being displayed).
The parameters "filename" and "filename*" differ only in that "filename*" uses
the encoding defined in , allowing the use
of characters not present in the ISO-8859-1 character set ().
Many user agent implementations predating this specification
do not understand the "filename*" parameter. Therefore, when both "filename"
and "filename*" are present in a single header field value, recipients
&SHOULD; pick "filename*" and ignore "filename". This way, senders
can avoid special-casing specific user agents by sending both the
more expressive "filename*" parameter, and the "filename" parameter
as fallback for legacy recipients (see for
an example).
It is essential that user agents treat the specified filename as advisory
only, thus be very careful in extracting the desired information.
In particular:
When the value contains path separator characters, all but the last
segment &SHOULD; be ignored. This prevents unintentional overwriting
of well-known file system location (such as "/etc/passwd").
Many platforms do not use Internet Media Types ()
to hold type information in the file system, but rely on filename
extensions instead. Trusting the server-provided file extension could
introduce a privilege escalation when the saved file is later opened
(consider ".exe"). Thus, recipients need to ensure that a file extension
is used that is safe, optimally matching the media type of the received
payload.
Other aspects recipients need to be aware of are names that have a
special meaning in the file system or in shell commands, such as "." and "..",
"~", "|", and also device names.
To enable future extensions, unknown parameters &SHOULD; be ignored (see also ).
Note that defines IANA registries both
for disposition types and disposition parameters. This registry is
shared by different protocols using Content-Disposition, such as MIME and HTTP.
Therefore, not all registered values may make sense in the context of HTTP.
Direct UA to show "save as" dialog, with a filename of "example.html":
Content-Disposition: Attachment; filename=example.html
Direct UA to behave as if the Content-Disposition header field wasn't present,
but to remember the filename "example.html" for a subsequent save operation:
Content-Disposition: INLINE; FILENAME= "example.html"
Direct UA to show "save as" dialog, with a filename of "an example":
Content-Disposition: Attachment; Filename*=UTF-8'en'an%20example
Note that this example uses the extended encoding defined in
to specify that the natural language of the filename
is English, and also to encode the space character which is not allowed in the
token production.
Direct UA to show "save as" dialog, with a filename containing the Unicode character U+20AC (EURO SIGN):
Content-Disposition: attachment;
filename*= UTF-8''%e2%82%ac%20rates
Here, the encoding defined in is also used to encode the
non-ISO-8859-1 character.
Same as above, but adding the "filename" parameter for compatibility with
user agents not implementing RFC 5987:
Content-Disposition: attachment;
filename="EURO rates";
filename*=utf-8''%e2%82%ac%20rates
Note: as of September 2010, those user agents that do not support the RFC 5987
encoding ignore "filename*" when it occurs after "filename". Unfortunately,
some user agents that do support RFC 5987 do pick the "filename" rather
than the "filename*" parameter when it occurs first; it is expected that
this situation is going to improve soon.
The "filename*" parameter (),
using the encoding defined in , allows the
server to transmit characters outside the ISO-8859-1 character set,
and also to optionally specify the language in use.
Future parameters might also require internationalization, in which case
the same encoding can be used.
Using server-supplied information for constructing local filenames introduces
many risks. These are summarized in .
Furthermore, implementers also ought to be aware of the Security
Considerations applying to HTTP (see ), and also the parameter encoding defined in
(see ).
This specification does not introduce any changes to the registration
procedures for disposition values and parameters that are defined in
.
This document updates the definition of the Content-Disposition HTTP header field
in the permanent HTTP header field registry (see ).
Content-DispositionhttpstandardIETFthis specification ()
Thanks to Rolf Eike Beer, Bjoern Hoehrmann, Alfred Hoenes, Roar Lauritzsen,
Henrik Nordstrom, and Mark Nottingham for their valuable feedback.
Key words for use in RFCs to Indicate Requirement LevelsHarvard Universitysob@harvard.eduGeneral
keywordHypertext Transfer Protocol -- HTTP/1.1University of California, Irvinefielding@ics.uci.eduW3Cjg@w3.orgCompaq Computer Corporationmogul@wrl.dec.comMIT Laboratory for Computer Sciencefrystyk@w3.orgXerox Corporationmasinter@parc.xerox.comMicrosoft Corporationpaulle@microsoft.comW3Ctimbl@w3.orgCharacter Set and Language Encoding for Hypertext Transfer Protocol (HTTP) Header Field Parametersgreenbytes GmbHHafenweg 16MuensterNW48155Germanyjulian.reschke@greenbytes.dehttp://greenbytes.de/tech/webdav/Information technology -- 8-bit single-byte coded graphic character sets -- Part 1: Latin alphabet No. 1International Organization for StandardizationMultipurpose Internet Mail Extensions (MIME) Part Two: Media TypesInnosoft International, Inc.ned@innosoft.comFirst Virtual Holdingsnsb@nsb.fv.comMIME (Multipurpose Internet Mail Extensions) Part Three: Message Header Extensions for Non-ASCII TextUniversity of Tennesseemoore@cs.utk.eduCommunicating Presentation Information in Internet Messages: The Content-Disposition Header FieldNew Century Systemsrens@century.comQUALCOMM Incorporatedsdorner@qualcomm.comDepartment of Computer Sciencemoore@cs.utk.eduMIME Parameter Value and Encoded Word Extensions: Character Sets, Languages, and ContinuationsInnosoft International, Inc.ned.freed@innosoft.comUniversity of Tennesseemoore@cs.utk.eduUTF-8, a transformation format of ISO 10646Alis Technologiesfyergeau@alis.comRegistration Procedures for Message Header FieldsNine by NineGK-IETF@ninebynine.orgBEA Systemsmnot@pobox.comHP LabsJeffMogul@acm.orgUniform Resource Identifier (URI): Generic SyntaxWorld Wide Web Consortiumtimbl@w3.orghttp://www.w3.org/People/Berners-Lee/Day Softwarefielding@gbiv.comhttp://roy.gbiv.com/Adobe Systems IncorporatedLMM@acm.orghttp://larry.masinter.net/
Compared to , the following
normative changes reflecting actual implementations have been made:
According to RFC 2616, the disposition type "attachment" only applies to
content of type "application/octet-stream". This restriction has been
removed, because user agents in practice do not check the content type, and
it also discourages properly declaring the media type.
RFC 2616 only allows "quoted-string" for the filename parameter. This
would be an exceptional parameter syntax, and also doesn't reflect actual
use.
The definition for the disposition type "inline" ()
has been re-added with a suggestion for its processing.
This specification requires support for the extended parameter encoding
defined in .
defines several additional
disposition parameters: "creation-date", "modification-date",
"quoted-date-time", and "size". These do not appear to be implemented by
any user agent, thus have been omitted from this specification.
By default, HTTP header field parameters cannot carry characters outside
the ISO-8859-1 () character encoding (see
). For the "filename"
parameter, this of course is an unacceptable restriction.
Unfortunately, user agent implementers have not managed to come up with
an interoperable approach, although the IETF Standards Track specifies
exactly one solution (, clarified and profiled for
HTTP in ).
For completeness, the sections below describe the various approaches that
have been tried, and explains how they are inferior to the RFC 5987
encoding used in this specification.
RFC 2047 defines an encoding mechanism for
header fields, but this encoding is not supposed to be used for
header field parameters - see :

An 'encoded-word' MUST NOT appear within a 'quoted-string'.
...
An 'encoded-word' MUST NOT be used in parameter of a MIME Content-Type or Content-Disposition field, or in any structured field body except within a 'comment' or 'phrase'.

In practice, some user agents implement the encoding, some do not
(exposing the encoded string to the user), and some get confused by it.
Some user agents accept percent encoded ()
sequences of characters encoded using the UTF-8 () character encoding.
In practice, this is hard to use because those user agents
that do not support it will display the escaped character sequence to the user.
Furthermore, the first user agent to implement this did choose the encoding
based on local settings; thus making it very hard to use in multi-lingual
environments.
Some user agents inspect the value (which defaults to ISO-8859-1) and
switch to UTF-8 when it seems to be more likely to be the correct
interpretation.
As with the approaches above, this is not interoperable and furthermore
risks misinterpreting the actual value.
Unfortunately, as of September 2010, neither the encoding defined in RFCs 2231
and 5987, nor any of the alternate approaches discussed above was
implemented interoperably. Thus, this specification recommends the approach
defined in RFC 5987, which at least has the advantage of actually being
specified properly.
The table below shows the implementation support for the various approaches:
User AgentRFC 2231/5987RFC 2047Percent EncodingEncoding SniffingChromenoyesyesyesFirefoxyes (*)yesnoyesInternet ExplorernonoyesnoKonqueroryesnononoOperayes (*)nononoSafarinononoyes
(*) Does not implement the fallback behavior to "filename" described in
.
Adjust terminology ("header" -> "header field").
Update rfc2231-in-http reference.
Update rfc2231-in-http reference. Actually define the "filename"
parameter. Add internationalization considerations.
Add examples using the RFC 5987 encoding.
Add overview over other approaches, plus a table reporting
implementation status.
Add and resolve issue "nodep2183".
Add issues "asciivsiso",
"deplboth", "quoted", and "registry".
Add and close issue "docfallback".
Close issues "asciivsiso", "deplboth", "quoted", and
"registry".
Updated to be a Working Draft of the IETF HTTPbis Working Group.
Closed issues:
:
"handling of unknown disposition types"
Slightly updated the notes about the proposed fallback behavior.
None yet.